Book a Call

Legal

Privacy Policy

Last updated: June 9, 2026

Delegate9 ("Delegate9", "we", "us") provides an AI operations agent that performs time-sensitive outbound work — appointment reminders, no-show recovery, new-lead response, and similar workflows — on behalf of service businesses (each a "Customer"). This Privacy Policy describes what information we collect when Customers and their end-users (patients, leads, customers — together "End Users") interact with the Delegate9 platform at www.delegate9.com (the "Service"), and what we do with it.

1. Roles

Customers act as the data controller for any End User information they send to or generate through the Service. Delegate9 acts as their data processor / service provider. End Users with questions about their own data should contact the Customer they originally interacted with; Delegate9 will assist that Customer in responding.

2. Information we collect

2.1 From Customers

  • Account information: name, business name, work email, role, industry, time zone, and password (stored hashed by our auth provider).
  • Configuration: the phone number we assign to the Customer, the inbound email address we provision, playbook settings, and which third-party integrations are connected.
  • Usage logs: which pages of the dashboard are accessed and when, errors, and product analytics needed to operate the Service.

2.2 From End Users (on behalf of Customers)

  • Contact details shared by the Customer: name, phone number, email address, and any notes.
  • Event detailsshared by the Customer: appointment times, shipment IDs, lead source, and similar metadata needed to execute the Customer's workflow.
  • Conversation content: SMS messages and emails sent to and received from End Users by the Service, plus the timestamps and delivery outcomes (delivered, bounced, replied, etc.).

2.3 From Google (Calendar integration)

Customers may optionally connect their Google Calendar so the agent can offer real, available appointment slots and book confirmed appointments. Connecting Google Calendar grants Delegate9 access to the following scopes:

  • https://www.googleapis.com/auth/calendar — read and write access to the connected calendar.
  • https://www.googleapis.com/auth/calendar.events — create, view, and modify events on the connected calendar.

With these permissions, Delegate9 only does two things on the Customer's behalf:

  • Read free/busy times for the connected calendar so the agent can offer specific, real, available appointment slots to End Users.
  • Create calendar events when an End User accepts a specific time the agent has offered.

Limited use disclosure.Delegate9's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve the appointment-booking features the Customer signed up for (reading free/busy slots and creating events the Customer authorized).
  • We do not sell Google user data.
  • We do not use Google user data for advertising or any form of ad personalization.
  • We do not use Google user data to train generalized AI / ML models. Calendar contents are passed to the Anthropic API only as ephemeral context to choose / propose times, are not used by Anthropic for model training, and are not retained by Anthropic beyond the brief operational logging window described in their data policy.
  • We do notallow humans to read Google user data except (a) with the Customer's explicit consent, (b) when needed for security investigations, (c) to comply with applicable law, or (d) for narrow internal operations where the data has been aggregated / anonymized and is used for internal reporting or troubleshooting.

We store the Google OAuth refresh token in our database, encrypted at rest, so the agent can continue to offer and book slots after the Customer closes their browser. We do not store the contents of calendar events long-term; we read them on demand from Google and keep only the minimum metadata needed to render the Customer's dashboard and case timeline (e.g. the eventId for a booking, the start/end times for an upcoming reminder).

2.4 From the Customer's existing systems

If a Customer wires their existing scheduling, CRM, or shipment system to Delegate9 via webhook, we receive event payloads from those systems containing the data the Customer chooses to send. We treat that data the same way as data collected directly through the Service.

3. How we use information

  • To operate the Service: run the AI agent, send SMS and email on the Customer's behalf, book calendar events, escalate to a human when needed, and surface the case in the Customer's dashboard.
  • To provide security, prevent abuse, debug failures, and maintain service reliability.
  • To communicate with Customers about their account, including escalation notifications, daily briefings, and weekly reports.
  • To comply with legal obligations and respond to lawful requests.

We do not sell personal information. We do not use Customer or End User data for advertising.

4. Sub-processors we rely on

We use a small, vetted set of sub-processors to operate the Service. Each is bound by data-processing terms appropriate to its role.

  • Vercel — application hosting and edge networking.
  • Supabase — managed Postgres database and authentication.
  • Anthropic— large-language-model inference for the AI agent. We send only the minimum context required for the agent's next step (contact name, the configured playbook, the latest inbound reply); we do not send unrelated data and we operate under Anthropic's zero-retention configuration where available.
  • Twilio — SMS delivery and inbound SMS receipt.
  • Resend — email delivery and inbound email receipt.
  • Google LLC — Google Calendar API (only for Customers who connect their calendar).

We update this list as the Service evolves. Customers can request the current list at any time by emailing [email protected].

5. Retention

  • Account & configuration data: kept for the life of the Customer's account, then deleted within 30 days of account termination unless retention is required by law.
  • End User contact + conversation data: retained while the Customer is active so the dashboard, audit trail, and case timeline remain meaningful. Deleted on Customer request or on account termination, subject to law.
  • Google Calendar refresh tokens: deleted within 7 days of the Customer disconnecting the integration or terminating their account, whichever is first.
  • Operational logs (errors, webhook receipts, security events): rotated on a rolling 90-day window.

6. Security

We use TLS in transit, encryption at rest, scoped per-Customer access controls inside the application, and least-privilege credentials for every sub-processor. Authentication is delegated to Supabase Auth. Admin access to production systems is restricted to a small group of named engineers and protected by SSO and 2FA. No system is perfectly secure; if we become aware of a breach affecting a Customer's data we will notify the affected Customer without undue delay.

7. International transfers

Delegate9 operates from Singapore and processes data primarily in regions hosted by our sub-processors (United States and Asia-Pacific). By using the Service, Customers consent to the transfer and processing of data in those locations.

8. End User rights

Depending on jurisdiction, End Users may have the right to access, correct, or delete information about themselves, to object to certain processing, or to withdraw consent. Because Delegate9 acts on behalf of Customers, End User requests should be directed to the Customer the End User originally interacted with. Delegate9 will assist Customers in fulfilling validated requests within a reasonable time frame.

9. SMS & email opt-out

End Users may reply STOPto any SMS message to opt out of further SMS from that Customer's Delegate9-managed number. Email recipients may reply with unsubscribe or use the unsubscribe link where present. Opt-outs are honored across all Delegate9-orchestrated outreach for that End User and that Customer.

10. Children

The Service is not designed for or directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided information through the Service, contact us and we will delete it.

11. HIPAA

For medical and dental Customers, Delegate9 is configured to handle appointment logistics only and is explicitly prompted to avoid clinical content (diagnoses, medications, conditions). Customers operating in healthcare are responsible for ensuring their use of the Service complies with applicable law, including HIPAA where relevant. Customers who require a Business Associate Agreement should contact us at [email protected].

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top of this page and, where appropriate, by notifying Customers via email.

13. Contact

Questions about this Privacy Policy, this Service, or any data we hold should be sent to [email protected].